Re: AD Review of draft-ietf-httpbis-client-cert-field-04
Brian Campbell <bcampbell@pingidentity.com> Tue, 28 February 2023 22:07 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95626C14CE2C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 28 Feb 2023 14:07:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.747
X-Spam-Level:
X-Spam-Status: No, score=-2.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOHMH8r7S4G0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 28 Feb 2023 14:07:22 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3C95C14F737 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 28 Feb 2023 14:07:21 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pX87p-0050jl-MM for ietf-http-wg-dist@listhub.w3.org; Tue, 28 Feb 2023 22:07:09 +0000
Resent-Date: Tue, 28 Feb 2023 22:07:09 +0000
Resent-Message-Id: <E1pX87p-0050jl-MM@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bcampbell@pingidentity.com>) id 1pX87n-0050iT-4w for ietf-http-wg@listhub.w3.org; Tue, 28 Feb 2023 22:07:07 +0000
Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <bcampbell@pingidentity.com>) id 1pX87k-004C5Y-38 for ietf-http-wg@w3.org; Tue, 28 Feb 2023 22:07:07 +0000
Received: by mail-pl1-x636.google.com with SMTP id y11so7858646plg.1 for <ietf-http-wg@w3.org>; Tue, 28 Feb 2023 14:07:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zctU/zsZl7TsRhnJWcHgkwlZKXCkkno2gIIVxjB6foo=; b=TbpotxM4GJ25kqfuGpZuycWgPjT7oMDNG+hVFkGbU3VBWLWn4flGcj8bG11HrYrhaW BwyUlJipgqi/lLbwcfcq5y/KuPM+mVHN9zZro5tLgv4IJVyqTdIGG7BE/Efg32S/42Xm 3P45EwX5gmsuNB6G8UiHBpS9M3lnF7x7CfHsXJ8T0fs0JtWWh3VtrEZNYEoY4PkQxoTF uKT4K7KamP737dQQXAMtOtiEHXg2PehwLCkk67rItukXR2nvpDzd0SyfyA90HK9H5s0M 1FMYyZyrHOaFtsD1WfoUSypJ0bzOhP1sNgGXG7eAda1m1+Yqs7jiKE65Jofl1ZRDuZfg /X+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zctU/zsZl7TsRhnJWcHgkwlZKXCkkno2gIIVxjB6foo=; b=oPLh3akPYBGuiGqfAlLKrGZt4zmYgjOGf7XzFdXKcMphFrTU2YGQQy6uN3X2VgBvDw LktJngDXAMXwr/ETyUwtl6aWnkpizxSuyj76Vs895WiQo9FVkl+uY+jEkVL67mq/mqh8 RT59FfM5CTspBrp+X99X1AiXPv1P7pDLOn2LWn+TDMxgm7T33VBD9orHR1v+eDPWuH0l l74YbETRwiytqjLs3K7ZE1DOZ9W6aKmeP973qHlxUgl8C7IWs2QccXQ541DyxEAe0czX CKThQmpH2rcXLsMmhEb3Sg5zt4J/l5o8/ReaGN9ojsMdzSk+U7qNDWSi9pV0kvg3hESc h3fA==
X-Gm-Message-State: AO0yUKWiescDltp8T+8A8cfWESi6EW/um7dGyXEu32iP/6Y8v7th7KDj UAueZktwx9ebuQhxQIV94ozZRhx8g/IYNpAbToo/ru7QFQ5KlZ9K4OLLManFQAnyPJtgr1fdMde ljapvmp8mHr4oYDHrYxNf
X-Google-Smtp-Source: AK7set/3atvIsrOzJfKsbGEPAbkWaLsSo2PH5maAm4guJKNqca2WORXxL4bvhGv1CfLU0Ef/PKL/PS3JW5Nntw3fWX4=
X-Received: by 2002:a17:902:f7c5:b0:19a:f80f:9619 with SMTP id h5-20020a170902f7c500b0019af80f9619mr1635325plw.3.1677622013381; Tue, 28 Feb 2023 14:06:53 -0800 (PST)
MIME-Version: 1.0
References: <AS1PR07MB861609147ABF2C5CAA4F418898DA9@AS1PR07MB8616.eurprd07.prod.outlook.com> <CA+k3eCR2KHupXLC3XNDv52RHSbrcbSmpbh5i2Yp4-Npaj9vsxw@mail.gmail.com>
In-Reply-To: <CA+k3eCR2KHupXLC3XNDv52RHSbrcbSmpbh5i2Yp4-Npaj9vsxw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 28 Feb 2023 15:06:20 -0700
Message-ID: <CA+k3eCT8TXk7AOUb+bVFHZnNpSye8XF8t=4Q=-Ugy9+Xo5G-8w@mail.gmail.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: "draft-ietf-httpbis-client-cert-field@ietf.org" <draft-ietf-httpbis-client-cert-field@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000002cf4ea05f5c9d01f"
Received-SPF: pass client-ip=2607:f8b0:4864:20::636; envelope-from=bcampbell@pingidentity.com; helo=mail-pl1-x636.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bcampbell@pingidentity.com domain=pingidentity.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1pX87k-004C5Y-38 a7a0426d1e77c272ba4ebef5052cc006
X-Original-To: ietf-http-wg@w3.org
Subject: Re: AD Review of draft-ietf-httpbis-client-cert-field-04
Archived-At: <https://www.w3.org/mid/CA+k3eCT8TXk7AOUb+bVFHZnNpSye8XF8t=4Q=-Ugy9+Xo5G-8w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50793
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Francesca, I've submitted a -05 that incorporates this and Genart review feedback: https://lists.w3.org/Archives/Public/ietf-http-wg/2023JanMar/0185.html On Tue, Feb 7, 2023 at 3:28 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks Francesca, > > Some followup comments/questions are inline below. > > On Mon, Feb 6, 2023 at 9:42 AM Francesca Palombini < > francesca.palombini@ericsson.com> wrote: > >> # AD Review of draft-ietf-httpbis-client-cert-field-04 >> >> cc @fpalombini >> >> >> >> Thank you for this document. >> >> >> >> No major comments from me, only one comment around a normative MUST and >> some nits, which you can address together with any other last call comments. >> >> >> >> I also note that the consensus of the wg is for it to be informational, >> which is fine since I understand this document is meant to be the reference >> specification for two IANA registrations that are "specification required", >> but it read to me as a standard track doc. As the wg has discussed and >> gotten consensus around informational, I don't expect any change, just >> bringing it up one last time before LC since I expect there might be more >> comments in LC and IESG eval. >> >> >> >> ## Comments >> >> >> >> ### MUST prevent unintended use >> >> >> >> Section 4: >> >> > Therefore, steps MUST be taken to prevent unintended use, both in >> sending the header field and in relying on its value. >> >> >> >> This might simply be a formulation problem, but when I read it I am not >> sure this is a MUST the reader will know how to implement. >> > > The idea with that sentence was that the 'how' is described in the rest of > the section. The keyword MUST probably isn't appropriate there. And a bit > more context might be useful too. Would changing it to this sentence > address that formulation problem? Or maybe I'm missing your point... > > "Therefore, steps such as those described below need to be taken to > prevent unintended use, both in sending the header field and in relying on > its value." > > >> >> >> ## Nits >> >> >> >> ### Editorial nits >> >> >> >> Section 4: >> >> > The configuration options and request sanitization are necessarily >> functionally of the respective servers. >> >> >> >> s/necessarily functionally/necessary functions ? >> > > Either works I think :) But I'll change it. > > > >> ### Considerations considered >> >> >> >> Funny title for Appendix B :) Where are the considerations not considered? >> > > It was actually intended to be somewhat humorous. :) I was trying to > convey something like "these are some things that were considered" to > hopefully avoid questions about whether they'd been considered. Kind of > like a FAQ for the general approach taken by the document. Also I didn't > feel great about other potential titles there. But I can see how the title > doesn't look great. I know this sounds silly but I'm not sure what the > section title should be. Maybe "Document Considerations" "General > Considerations" or "Design Considerations"? Or something else that I'm not > able to think of? > > > >> -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- AD Review of draft-ietf-httpbis-client-cert-field… Francesca Palombini
- Re: AD Review of draft-ietf-httpbis-client-cert-f… Brian Campbell
- Re: AD Review of draft-ietf-httpbis-client-cert-f… Brian Campbell